4000 Router Series Fundamentals Command Reference

# Verify that you can assign Ethernet 1/5 to VLAN 10. In this example, the user role can access any

VLAN because the default VLAN policy of the user role is used.

<Sysname> system-view

[Sysname] vlan 10

[Sysname-vlan10] port ten-gigabitEthernet1/5

# Verify that you cannot enter Ethernet 1/2 interface view.

<Sysname> system-view

[Sysname] interface ethernet 1/2

Permission denied.

Related commands

• display role

• interface policy deny

• role

permit vlan

Use permit vlan to configure a list of VLANs accessible to a user role.

Use undo permit vlan to remove the permission for a user role to access specific VLANs.

Syntax

permit vlan vlan-id-list

undo permit vlan [ vlan-id-list ]

Default

No permitted VLANs are configured in user role interface policy view.

Views

User role VLAN policy

Predefined user roles

network-admin

Parameters

vlan-id-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN

by its VLAN ID or a range of VLANs in the form of vlan-id1 to vlan-id2. The value range for the VLAN IDs

is 1 to 4094. If a VLAN range is specified, vlan-id2 must be greater than vlan-id1.

Usage guidelines

To permit a user role to access a VLAN after you configure the vlan policy deny command, you must add

the VLAN to the permitted VLAN list of the policy. With the user role, you can create, remove, or

configure only the VLANs in the permitted interface list, enter their views, and specify them in a feature

command.

You can repeat the permit vlan command to add permitted VLANs to a user role VLAN policy.

The undo permit vlan command removes the entire list of permitted VLANs if no VLAN is specified.

Any change to a user role VLAN policy takes effect only on users that log in with the user role after the

change.